American law enforcement officials have worked with Russia’s Federal Security Service (FSB) to help stop cyber crime. However on Wednesday the Justice department accused the FSB of recruiting a man with dual Canadian and Kazakh citizenship, Karim Baratov, to work with Russian intelligence to hack Yahoo email accounts in 2014.
The allegation was made as Baratov, 22, an alleged hacker named Alexsey Belan, and two FSB officials were charged with the 2014 theft of information about at least 500 million Yahoo accounts, and the use of that information to obtain the contents of accounts at Yahoo and other email providers.
The charges don’t relate to the much bigger 2013 Yahoo hack, which involved millions of accounts.
Baratov was arrested by Toronto Police’s fugitive squad on Tuesday morning and turned over to the RCMP. An extradition hearing is expected.
Justice department officials named the two FSB officers as Dmitry Dokuchaev and Igor Sushchin, alleging they “protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the United States and elsewhere.
“They worked with co-conspirators Alexsey Belan and Karim Baratov to hack into computers of American companies providing email and internet-related services, to maintain unauthorized access to those computers and to steal information, including information about individual users and the private contents of their accounts,” according to a statement by Acting Assistant Attorney General Mary B. McCord.
All four are charged with conspiracy to commit computer fraud, which carries a maximum penalty of 10 years. Dokuchaev, Sushchin and Baratov are also charged with conspiring to commit access device fraud and with conspiring to commit wire fraud.
It is alleged that Dokuchaev and Sushchin “tasked Baratov with gaining unauthorized access to individual user accounts at Google and other providers and then paid Baratov for providing them with the account passwords.” In some instances, the Justice department alleges, Dokuchaev and Sushchin tasked Baratov with targeting accounts that they learned of through access to Yahoo’s user database and account management tool. These would include Gmail accounts that served as a Yahoo user’s secondary account, the Justice department alleges.
“The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.,” said McCord.
“Belan has been indicted twice before in the United States for three intrusions into e-commerce companies that victimized millions of customers, and he has been one of the FBI’s most wanted cyber criminals for more than three years. Belan’s notorious criminal conduct and a pending Interpol Red Notice did not stop the FSB officers who, instead of detaining him, used him to break into Yahoo’s networks.
“Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his own pockets with money. Specifically, Belan used his access to Yahoo to search for and steal financial information, such as gift card and credit card numbers, from users’ email accounts. He also gained access to more than 30 million Yahoo accounts, whose contacts were then stolen to facilitate an email spam scheme.”
Mark Pugash, director of corporate communications for Toronto Police, said in an interview Baratov was arrested by its fugitive squad in Ancaster, Ont., following a request from several Canadian and other police forces. The squad specializes in “finding people who don’t want to be found,” Pugash said.
He wouldn’t say how long Toronto force had been looking for Belan, but according to the U.S. Justice department it submitted a provisional arrest warrant to Canadian law enforcement authorities, requesting Baratov’s arrest on March 7.
McCord described the FSB as an intelligence and law enforcement agency and a successor to the Soviet Union’s KGB. “The FSB unit that the defendants worked for, the Center for Information Security, aka Center 18, is also the FBI’s point of contact in Moscow for cyber-crime matters,” she said.
The charges came after a grand jury in the Northern District of California indicted Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, 29, a Russian national and resident; and Karim Baratov. A U.S. Justice department release alleges he uses the names “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov.”
That release said Belan had been publicly indicted in the U.S. in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, says the release, but he was able to escape to Russia before he could be extradited.
In or around November and December 2014, Belan allegedly stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts,” says the U.S. Justice department.
Belan also allegedly obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts, says the statement. Belan, Dokuchaev and Sushchin allegedly then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.
Of the more than 500 million Yahoo accounts for which account information about was allegedly stolen by the defendants, contents of more than 30 million Yahoo accounts were accessed without authorization to facilitate a spam campaign, the Justice department alleges. Accounts of at least 18 additional users at other webmail providers were also allegedly accessed without authorization.
The conspiracy allegedly began at least as early as 2014, say authorities and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they allegedly continued to utilize information stolen from the intrusion up to and including at least December 2016.